Page 5 of 60 results (0.033 seconds)

CVSS: 8.8EPSS: 0%CPEs: 40EXPL: 0

A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known. Se podría abusar de un componente para analizar plantillas OXMF para ejecutar comandos arbitrarios del sistema que se ejecutarían como usuario de tiempo de ejecución sin privilegios. • http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html http://seclists.org/fulldisclosure/2024/Jan/3 https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0

OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com •

CVSS: 5.3EPSS: 0%CPEs: 25EXPL: 0

OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com •

CVSS: 6.1EPSS: 0%CPEs: 25EXPL: 0

OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 25EXPL: 0

OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •